Chatta subito con l'assistenza
Chat con il supporto

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

pmscp

Description

Use pmscp in conjunction with scp to launch the remote scp -t and scp -f daemons by means of pmrun -h. This allows you to use Privilege Manager for Unix to launch the remote scp daemons.

pmscp provides an alternate encryption channel for the scp command leaving authentication requirements to your Privilege Manager for Unix policy. Either put /opt/quest/bin in your PATH or use the absolute path.

Examples

To copy files to the /tmp directory on remote host, as root run the following:

scp -S pmscp <filename> user@remotehost:/tmp

pmserviced

Syntax
pmserviced [-d] [-n] [-s] [-v] [-z on|off[:<pid>]]
Description

The Privilege Manager for Unix service daemon, (pmserviced) is a persistent process that spawns the configured Privilege Manager for Unix services on demand. The pmserviced daemon is responsible for listening on the configured ports for incoming connections for the Privilege Manager for Unix daemons. It is capable of running the pmmasterd, pmlocald, pmclientd, and pmtunneld services.

Only one of pmmasterd and pmclientd may be enabled as they use the same TCP/IP port. For more information about these daemon settings, see the individual topics in PM settings variables.

Options

pmserviced has the following options.

Table 83: Options: pmserviced
Option Description

-d

Logs debugging information such as connection received, signal receipt and service execution.

By default, pmserviced only logs errors.

-n

Does not run in the background or create a pid file. By default, pmserviced forks and runs as a background daemon, storing its pid in /var/opt/quest/qpm4u/pmserviced.pid. When you specify the -n option, it stays in the foreground. If you also specify the -d option, error and debug messages are logged to the standard error in addition to the log file or syslog.

-s

Connects to the running pmserviced and displays the status of the services, then exits.

-v

Displays the version number of Privilege Manager for Unix and exits.

-z

Enables or disables tracing for pmserviced.

Before using this option, see Enabling program-level tracing.

pmserviced Settings

pmserviced uses the following options in /etc/opt/quest/qpm4u/pm.settings to determine the daemons to run, the ports to use, and the command line options to use for each daemon.

Table 84: Options: pmserviced
Daemon Name Flag to enable daemon Listen on port Command line options

pmclientd

pmclientdEnabled

masterport

pmclientdOpts

pmlocald

pmlocaldEnabled

localport

pmlocaldOpts

pmmasterd

pmmasterdEnabled

masterport

pmmasterdOpts

pmtunneld

pmtunneldEnabled

tunnelport

pmtunneldOpts

Table 85: Settings: pmserviced
Setting Description

pmservicedLog pathname | syslog

Fully qualified path to the pmserviced log file or syslog.

pmmasterdEnabled YES | NO

When set to YES, pmserviced runs pmmasterd on demand.

masterport number

The TCP/IP port pmmasterd or pmclientd uses to listen.

pmmasterdOpts options

Any command line options passed to pmmasterd.

pmlocaldEnabled YES | NO

When set to YES, pmserviced runs pmlocald on demand.

localport number

The TCP/IP port pmlocald uses to listen.

pmlocaldOpts options

Command line options passed to pmmasterd.

pmclientdEnabled YES | NO

When set to YES, pmserviced runs pmclientd on demand.

pmclientdOpts options

Any command line options passed to pmclientd.

pmtunneldEnabled YES | NO

When set to YES, pmserviced runs pmtunneld on demand.

tunnelport number

The TCP/IP port pmtunneld uses to listen.

pmtunneldOpts

Any command line options passed to pmtunneld.

Files
  • settings file: /etc/opt/quest/qpm4u/pm.settings

  • pid file: /var/opt/quest/qpm4u/pmserviced.pid

Related Topics

pmlocald

pmmasterd

pmsh

Syntax
pmsh -a|-b|-c <file>|-e|-f|-i|-m|-n|-o <option>|-s|-u|-v|-x|-C|-E|-I|-B|-V
     [-U <user>]
Description

The Privilege Manager for Unix Bourne Shell (pmsh) command is a fully featured version of sh, that provides transparent authorization and auditing for all commands submitted during the shell session. pmsh supports the standard options for sh.

Using the appropriate policy file variables, you can configure each command entered during a shell session, to be:

  • forbidden by the shell without further authorization to the policy server

  • allowed by the shell without further authorization to the policy server

  • presented to the policy server for authorization

Once allowed by the shell, or authorized by the policy server, all commands run locally as the user running the shell program.

Options

pmsh has the following options.

Table 86: Options: pmsh
Option Description

-a

Flags variables for export when assignments are made to them.

-b

Enables asynchronous notification of background job completion. (UNIMPLEMENTED) .

-B

Allows the shell to run in the background.

-c <file>

Reads commands from a file instead of from standard input.

-C

Does not overwrite existing files with `>'.

-e

Exits immediately if any untested command fails in non-interactive mode. The exit status of a command is considered to be explic- itly tested if the command is part of the list used to control an if, elif, while, or until; if the command is the left hand oper- and of an ``&&'' or ``||'' operator; or if the command is a pipe- line preceded by the ! operator. If a shell function runs and its exit status is explicitly tested, all commands of the function are considered to be tested as well.

-E

Enables the built-in emacs(1) command line editor (disables the -V option if it has been set; set automatically when interactive on terminals).

-f

Disables pathname expansion..

-h

A do-nothing option for POSIX compliance.

-i

Forces the shell to behave interactively.

-I

Ignores EOF's from input when in interactive mode.

-m

Turns on job control (set automatically when interactive).

-n

If not interactive, reads commands but do not run them. This is useful for checking the syntax of shell scripts.

-o <option>

Sets the specified shell option. A list of shell options can be displayed using the set -o builtin command.

-s

Reads commands from standard input (set automatically if no file arguments are present). This option has no effect when set after the shell has already started running (i.e., when set with the set command).

-u

Writes a message to standard error when attempting to expand a variable, a positional parameter or the special parameter ! that is not set, and if the shell is not interactive, exit immediately.

-v

The shell writes its input to standard error as it is read. Useful for debugging.

-V

Enables the built-in vi command-line editor (disables -E if it has been set).

-x

Writes each command (preceded by the value of the PS4 variable subjected to parameter expansion and arithmetic expansion) to standard error before it is run. Useful for debugging.

pmsh supports the following builtin commands:

., :, [, alias, bg, break, cd, chdir, command, continue, echo, eval, exec, exit, export, false, fg, getopts, hash, jobs, kill, local, printf, pwd, read, readonly, return, set, shift, test, times, trap, true, type, ulimit, umask, unalias, unset, wait

pmshellwrapper

Syntax
pmshellwrapper
Description

Use the pmshellwrapper program as a wrapper for any valid login shell on a host. It provides full keystroke logging for any normal shell, but does not provide authorization of the commands run from the shell.

To use pmshellwrapper, you must create a link for the real shell you want to use. For example:

ln -s /opt/quest/libexec/pmshellwrapper 
/opt/quest/bin/pmshellwrapper_bash

When the user runs pmshell_bash, it transparently converts this to pmrun bash.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione